VPN services have grown increasingly popular in recent years, but not all are completely anonymous. Some VPN services even keep extensive logs of users' IP-addresses for weeks. To find out which are the best VPNs, TorrentFreak asked several dozen providers about their logging policies, and more.

Millions of people use a VPN service to browse the Internet securely and anonymously. Unfortunately, however, not all VPN services are as anonymous as they claim to be and some keep extensive logs of private information.

To help VPN users to make an informed choice we decided to ask dozens of VPN services how they protect the privacy of their users. Today we present the fifth iteration of our annual VPN services “logging” review.

In addition to questions about logging policies we also asked VPN providers about various other privacy related issues.

—

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, what information and for how long?

2. What is the registered name of the company and under what jurisdiction(s) does it operate?

3. Do you use any external visitor tracking, email providers or support tools that hold information of your users / visitors?

4. In the event you receive a takedown notice (DMCA or other), how are these handled?

5. What steps are taken when a valid court order or subpoena requires your company to identify an active user of your service? Has this ever happened?

6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

7. Which payment systems do you use and how are these linked to individual user accounts?

8. What is the most secure VPN connection and encryption algorithm you would recommend to your users? Do you provide DNS leak protection and tools such as “kill switches” if a connection drops?

9. Do you offer a custom VPN application to your users? If so, for which platforms?

10. Do you use your own DNS servers?

11. Do you have physical control over your VPN servers and network or are they hosted by/accessible to a third party?

12. What countries are your servers located in?

—

What follows is the list of responses from the VPN services, in their own words. Providers who didn’t answer our questions directly or failed by logging extensively were excluded. We specifically chose to leave room for detailed answers where needed. The order of the list holds no value.

1. We do not store logs relating to traffic, session, DNS or metadata. In other words, we do not log, period. Privacy is our policy.

2. We’re known as London Trust Media, Inc., and we are located in the US, one of the few countries that do not have a mandatory data retention policy. Additionally, since we operate in the country with the strongest of consumer protection laws, our beloved clients are able to purchase with confidence.

3. We take advantage of Google Apps and Analytics. All of our systems and support tools are in-house.

4. We do not monitor our users, period. That said, we have an active proprietary system in place to help mitigate abuse.

5. Every subpoena is scrutinized to the highest extent for compliance with both the “spirit” and “letter of the law.” We have not received a valid court order. All this being said, we do not log and do not have any data on our customers other than their e-mail and account username.

8. Currently, the most secure and practical encryption algorithm that we recommend to our users would be our cypher suite of AES-256 + RSA4096 + SHA256. That being said, AES-128 is still safe. Our users specifically also gain a plethora of additional protections, including but not limited to:

(a) Kill Switch: Ensure that traffic is routed through the VPN such that if the VPN connection is unexpectedly terminated, the traffic will not route. (b) IPv6 Leak Protection: Protects clients from websites which may include IPv6 embeds, which could leak to IPv6 IP information coming out. (c) DNS Leak Protection: This is built-in and ensures that DNS requests are made through the VPN on a safe, private, no-log DNS daemon. (d) Shared IP System: We mix clients’ traffic with many other clients’ traffic through the use of an anonymous shared-IP system ensuring that our users blend in with the crowd.

9. We have a great application to which our users have left amazing reviews. It is supported on the following platforms: Windows, Mac OS X, Linux, Android, iOS and a Chrome Extension (Coming soon).

Additionally, users of other operating systems can connect with other protocols including OpenVPN and IPSec among others. Our application maintains connection debug information, stored safely, locally and is regularly destroyed. This is for users who wish to seek assistance in the rare case of connection issues.

10. Yes, we operate our own DNS servers on our high throughput network. These servers are private and do not log.

11. We utilize third party datacenters that are operated by trusted friends and, now, business partners who we have met and completed serious diligence on. Our servers are located in facilities including 100TB, UK2, SoftLayer, Choopa, Leaseweb, among others.

1. We never keep traffic logs, and we also don’t keep any logs that might enable someone to match an IP and timestamp back to a user. We work entirely on the basis of shared IPs, meaning that a single IP does not track back to an individual user. For the purpose of improving network resource allocation, we record aggregate data-transfer amounts and choice of server location, neither of which are data points that can identify a specific user as part of an investigation.

2. Express VPN International Ltd., located in the British Virgin Islands. We operate according to BVI laws.

3. We use Google Analytics, Zendesk for tickets, and Snapengage for live chat support.

4. There is nothing to take down, as we are not a content host. We maintain the anonymity of our customers and would not attempt to identify users on the basis of DMCA notices.

5. A court order would need to take place in the BVI. If we receive a valid informational request from another jurisdiction, we let them know that we don’t maintain logs that would enable us to match an IP to an ExpressVPN user.

6. Yes, absolutely allowed.

7. VISA, Mastercard, Paypal, American Express, Discover, JCB, Diners Club, Alipay, UnionPay, Webmoney, Yandex Money, Giropay, Sofort, Maestro, Carte Bleue, FanaPay, OneCard, Tenpay, iDeal. And most importantly for users who don’t want to submit personal payment details: bitcoin. The information you are required to submit varies with the payment method selected. With bitcoin we require only an email address so we can communicate with you.

8. OpenVPN. Our apps use a 4096-bit CA, AES-256-CBC, TLSv1.2, SHA512, and strong ciphers. Yes, we protect against DNS leaks, leaks that happen if the connection drops unexpectedly, or other types of leaks that might happen during the connection (such as IPv6 leaks). We call this the “Network Lock” and the feature is turned on by default.

9. Yes, ExpressVPN has custom apps for Windows, Mac, Android, iOS, and soon also Linux and Routers. The apps are careful not to write diagnostic information to disk. They only save to disk if the user clicks “Save Diagnostics”, which saves a text file that the user can then choose to share with our support team.

10. Yes, all ExpressVPN servers run their own DNS. This ensures speed and privacy.

11. We use premium data centers with strong security practices, and the data centers don’t have access to ExpressVPN servers. Because we don’t keep logs, we also mitigate the threat of physical theft of servers.

1. NordVPN is continuously committed to our zero log policy, which means we do not log any of our users’ activity, nor the IP addresses or timestamps.

2. NordVPN is registered under the company “Tefincom co S.A.”. We operate in the jurisdiction of Panama.

3. We use Google analytics and a third-party ticket/live chat tool. Google analytics is used to improve our website so our users would have the most relevant information at their reach. Ticket/live chat tool is used to provide the best support in the industry (24/365), but not tracking our users by any means.

4. Nothing has changed from last year. Still, all the notices are ignored because they have no legal bearing to us as we only need to comply with Panamanian law.

5. If we do receive a valid court order, firstly it would have to comply with the laws of Panama. In that case, the court settlement should happen in Panama first, however were this to happen, we would not be able to provide any information, because we keep exactly nothing about our users.

6. We do not restrict file-sharing on the majority of our servers. Some servers are optimized for file-sharing practice, while others are optimized for other VPN uses (i.e. streaming).

7. We accept payments via Bitcoin, Credit Card and PayPal. Bitcoin is the best payment option to maintain your anonymity, as it has only the paid amount linked to the client. Users who purchase services via PayPal or credit card are linked with the usual information the seller can see about the buyer. Please note, that users’ account is only linked with the payment but not the online activity.

8. We take pride in our top notch anonymity solutions, which we would like to recommend to everyone seeking real privacy. One of them is Double VPN, where the traffic is routed through at least two hoops before it reaches the Internet. The connection is encrypted within two layers of cipher AES-256-CBC encryption. Another security solution – Tor over VPN. Firstly, the traffic is encrypted within NordVPN layer and later sent to the Tor network and exits to the Internet through one of the Tor exit relays. Both of these security solutions provide a great encryption and anonymity combination. The benefit of using these solutions is that the chances of being tracked are eliminated. In addition, you are able to access .onion websites when connected to Tor over VPN. Furthermore, our regular servers have a strong encryption which is 2048bit SSL for OpenVPN protocol, AES-256bit for L2TP.

In addition to that, we have advanced security solutions, such as the “kill switch” and DNS leak protection which provide the maximum possible security level for our customers.

9. We do have custom applications for Windows, Mac OS X, iPhone, iPad and Android devices. Our applications store only connection logs which are used for troubleshooting when the user provides them to us. Traffic logs are not stored there.

10. We do have our own DNS servers and all DNS requests go through those servers.

1. Anonymizer does not log ANY traffic that traverses our system, ever. We do not maintain any logs that would allow you to match an IP-address and time stamp to a user of our service.

2. Our company is registered as Anonymizer Inc. Anonymizer Inc. operates under U.S. jurisdiction where there are no data retention laws.

3. Anonymizer uses a ticketing system for support, but does not request user verification unless it is needed specifically in support of a ticket. Anonymizer uses a bulk email service for email marketing, but does not store any details on the individual email address that would connect them to being an existing customer. Anonymizer uses Google Analytics and Google Adwords to support general marketing to new customers. Both of these tools do not store identifiable information on any unique customer or any way to identify a specific individual as a user of our service. We also actively ensure no link is created to from the data in either system to any specific customer following a trial or purchase of our product.

4. We can’t. We don’t monitor or log traffic. When we receive reports of abuse, we have no way to isolate or remediate it.

5. Anonymizer Inc. only responds to official valid court orders or subpoenas that comply with information we have available. Since we do not log any traffic that comes over our system, we have nothing to provide in response to requests associated to service use. If a user paid by credit card we can only confirm that they purchased access to our service. There is, and would be, no way to connect a specific user to specific traffic ever. There have been instances were we did receive valid court orders and followed our above procedures. In the 20 years of service we have never identified details about a customer’s traffic or activities.

6. All traffic is allowed on all of our servers.

7. Anonymizer Inc. uses a payment processor for our credit card payments. There is a record of the payment for the service and the billing information associated to the credit card confirming the service has been paid for. We also offer a cash payment option and will soon offer crypto-currency options i.e. Bitcoin. Cash payment options do not store any details.

8. We would recommend OpenVPN for a user that is looking for the most secure connection. We feel it is the most reliable and stable connection protocol currently. Our OpenVPN implementation uses AES-256. We also offer L2TP, which is IPSEC. Anonymizer’s client software has the option to enable a kill switch that prevents any web traffic from exiting your machine without going through the VPN.

9. We offer a custom VPN application for OSX and Windows. Our default application log only logs fatal errors that occur within the application which prevents the application from running.

10. Yes, we operate our own DNS servers.

11. We own ALL of our hardware, and have full physical control of our servers. No third party has access to our environment.

1. No logs or time stamps are kept whatsoever. TorGuard does not store any traffic logs or user session data on our network. In addition to a strict no logging policy we run a shared IP configuration across all servers. Because there are no logs kept with multiple users sharing a single IP address, it is not possible to match a user with an IP and time stamp.

2. TorGuard is owned and operated by VPNetworks LLC under US jurisdiction, with our parent company VPNetworks LTD, LLC based in Nevis.

3. We use Sendgrid for bulk email services and encourage users to take advantage of TorGuard’s free email service for increased anonymity during signup. Our 24/7 live chat services are managed by Livechatinc’s platform. Advanced support desk requests are maintained by TorGuard’s own internal support ticketing system.

4. Because we do not host any content it is not possible for us to remove anything from a server. In the event a valid DMCA notice is received it is immediately processed by our abuse team. Due to our no log policy and shared IP network configuration we are unable to forward any requests to a single user.

5. If a court order is received, it is first handled by our legal team and examined for validity in our jurisdiction. Should it be deemed valid, our legal representation would be forced to further explain the nature of a shared IP configuration and the fact that we do not hold any identifying logs. No, we remain unable to identify any active user from an external IP address and time stamp.

6. Yes, BitTorrent and all P2P traffic is allowed. By default we do not block or limit any types of traffic across our network.

7. We currently accept over 200 different payment options through all forms of credit card, PayPal, Bitcoin, altcoins (e.g. dogecoin, litecoin + more), Alipay, UnionPay, CashU, 100+ Gift Cards, and many other methods. No usage can be linked back to a billing account due to the fact that we maintain zero logs across our network.

8. For best security we advise clients to use OpenVPN connections only and for encryption select AES256 with 2048bit RSA. AES128 is also considered very safe and is a great option if download speed is a priority. Yes, TorGuard provides a full range of security features including a connection kill switch, application kill switch, DNS leak protection, IPv6 leak protection, WebRTC leak protection, and Stealth VPN services. All encryption and security features are available to clients at no additional charge.

9. TorGuard offers a custom VPN application powered by OpenVPN for all versions of Windows, OSX, Linux and Android. We also offer a custom iOS app available on iTunes, however due to Apple’s API restrictions the app uses IPsec for VPN connections. TorGuard’s custom VPN applications do not store any connection logs on the user’s local machine.

10. Yes, we offer all clients the choice between private no log TorGuard DNS servers or Level 3 and Google DNS servers. Members also have the option of using TorGuard local DNS, which is a no log DNS solution running locally on each VPN endpoint.

11. Yes, we retain full physical control over all hardware and only seek partnerships with data centers who can meet our strict security criteria. All servers are deployed and managed exclusively by our in house networking team via a single, secure key.

2. Slick Networks, Inc. is our recognized corporate name. We operate a complex business structure with multiple layers of Offshore Holding Companies, Subsidiary Holding Companies, and finally some Operating Companies to help protect our interests. The main marketing entity for our business is based in the United States of America and an operational entity is based out of Nevis.

3. We utilize third party email systems to contact clients who opt in for our newsletters and Google Analytics for basic website traffic monitoring and troubleshooting.

4. If a valid DMCA complaint is received while the offending connection is still active, we stop the session and notify the active user of that session, otherwise we are unable to act on any complaint as we have no way of tracking down the user. It is important to note that we ALMOST NEVER receive a VALID DMCA complaint while a user is still in an active session.

5. This has never happened in the history of our company. Our customer’s privacy is of top most importance to us. We are required to comply with all valid court orders. We would proceed with the court order with complete transparency, but we have no data to provide any court in any jurisdiction. We would not rule out relocating our businesses to a new jurisdiction if required.

6. Yes, all traffic is allowed.

7. We accept PayPal, Credit Cards, Bitcoin, Cash, and Money Orders. We keep user authentication and billing information on independent platforms. One platform is operated out of the United States of America and the other platform is operated out of Nevis. We offer the ability for the customer to permanently delete their payment information from our servers at any point. All customer data is automatically removed from our records shortly after the customer ceases being a paying member.

8. We recommend using OpenVPN if at all possible (available for Windows, Apple, Linux, iOS, Android) and it uses the AES-256-CBC algorithm for encryption.

Our Windows and Mac client incorporates IP and DNS leak protection which prevents DNS leaks and provides better protection than ordinary ‘kill-switches’. Our IP leak protection proactively keeps your IPv4 and IPv6 traffic from leaking to untrusted networks. This was one of the first features we discussed internally when we were developing our network, it is a necessity for any good VPN provider.

SlickVPN Scramble is available to all of our customer accounts. This feature provides an added level of privacy by obfuscating the OpenVPN headers allowing the customer to bypass Deep Packet Inspection (DPI). Using SlickVPN Scramble will allow users to access our network when VPN access is restricted by certain countries, universities, workplaces, or organizations. We also offer our HYDRA product, which utilizes revolutionary multi-hop, multi-destination connections to block anyone from tracking your online activities.

9. Yes. Our users are provided with a custom client, designed by our in-house engineers. Currently, the client works with Windows and Mac products. Our client does NOT store logs on customer computers by default. We also provide guides for every other platform.

10. Yes

11. We run a mix. We physically control some of our server locations where we have a heavier load. Other locations are hosted with third parties unless there is enough demand in that location to justify racking our own server setup. To ensure redundancy, we host with multiple providers in each location. We have server locations in over forty countries. In all cases, our network nodes load over our encrypted network stack and run from ramdisk. Anyone taking control of the server would have no usable data on the disk. We run an algorithm to randomly reboot each server on a regular basis so we can clear the ramdisk.

3. We use basic inbound marketing tools like Google Analytics, but we do not track user activities outside of our site. We also do not track the browsing activities of users who are logged into our VPN service.

4. We do not store, host, stream or provide any content, media, images or files that would be subject to a properly formed takedown notice.

5. First, any request has to be a valid and lawful request before we will even acknowledge the request. If the request is for user data or identification of a subscriber based on an IP address, we inform the agency making the request that we do not keep any logs and we operate in a Jurisdiction that does not require mandatory data retention. Sometimes, legal agencies or authorities may not be happy with this response. We politely remind them that IPVanish operates within the letter of the law and is a valid and needed service to protect the privacy of its subscribers.

6. Yes.

7. Bitcoin, PayPal and all major credit cards are accepted. Payments and service use are in no way linked.

8. We recommend OpenVPN with 256 bit AES as the most secure VPN connection and encryption algorithm.

IPVanish does have a Kill Switch feature that terminates all network traffic to prevent any DNS leaks in the event your VPN connection drops. We also have a user-enabled option that automatically changes your IP address randomly at selected time intervals.

11. We own and have physical control over our entire operational infrastructure, including the servers. Unlike other VPN services, we actually own and operate a global IP network backbone optimized for VPN delivery which insures the fastest speeds of any VPN provider.

12. We have servers in over 60 countries including the US, Australia, United Kingdom, Canada and more. You can view the complete list on our servers page.

1. No logs are retained that would allow the correlation of a user’s IP address to a VPN address. The session database does not include the origin IP address of the user. Once a connection has been terminated the session information is deleted from the session database.

2. The name of the company is PrivActually Ltd. which operates out of Cyprus.

3. We do not use any visitor tracking mechanism not even passive ones analyzing the webserver logs. Neither do we use a ticket system to manage support requests. We stick to a simple mail system and delete old data after 3 months from our mail boxes.

4. The staff forwards them to the BOFH. Notices sent via paper are usually converted into energy by combustion … to power the data center in the basement where the BOFH lives. Digital SPAM^WDMCA notices are looped back into the kernel to increase the VPNs /dev/random devices entropy.

5. We evaluate the request according to the legal framework set forth in the jurisdictions we operate in and react accordingly. We had multiple cases where somebody tried but did not succeed to identify active users on the system. Examples:

– A french company which sent lawyers to identify a whistle-blower.
– The Polish police which contacted us because somebody made a bomb threat in a bigger mall in Poland.
– The Russian oligarch state which tried to learn who was hosting a torrent website on the VPN.

All cases were resolved without disclosing the identities. Our general stance is that IF we are in a position where we would need to weigh common good vs. running the VPN service we would sacrifice the VPN service.

6. Besides filtering SMTP on port 25 we do not impose any restrictions on protocols our users can use on the VPN, quite the contrary. We believe our role is to provide a net-neutral internet access.

Every user is free to share his/her/its files. We are conservative people and firmly believe in the heritage of our society, which was built upon the free exchange of cultural knowledge. This new age patent system, and the idea that we need companies who milk creators are simply alien to us.

7. We offer PayPal, Bitcoins, Payza, and PaySon fully integrated. OkPay, Transferwise, WU, PerfectMoney, Webmoney, Amazon Giftcards, Cash and Credit Cards on request. An internal transaction ID is used to link payments to their payment processors. We do not store any other data about payments associated with the users account.

8. We provide up to date config files and enforce TLS1.2 for the control channel on all supported systems. For further protection we provide detailed setup instructions for our users. Besides the public and VPN internal DNS servers we also support DNSCrypt as a means to encrypt DNS requests. Howtos for kill switches are available as well. We do not enforce a particular client.

9. Not at the moment.

10. As stated in 8) we run both public and VPN internal DNS Servers and also support DNSCrypt.

11. We own our complete setup, network, and data center with everything in it – no 3rd parties are allowed access. We do not trust in 3rd parties operating our core infrastructure. More details are available here.

12. They are in Sweden due to the laws that allow us to run our service in a privacy protecting manner.

1. No. This would make both us and our users more vulnerable so we certainly don’t. To make it harder to watch the activities of an IP address from the outside we also have many users share each address, both for IPv4 and IPv6.

2. Amagicom AB. Swedish.

3. We have no external elements at all on our website. We do use external email and encourage people sending us email to use PGP encryption, which is the only effective way to keep email somewhat private. The decrypted content is only available to us.

4. There is no such Swedish law that is applicable to us.

5. We get requests from governments from time to time. They never get any information about our users. We make sure not to store sensitive information that can be tied to publicly available information, so that we have nothing to give out. We believe it is not possible in Swedish law to construct a court order that would compel us to actually give out information about our users. Not that we would anyway. We started this service for political reasons and would rather discontinue it than having it work against its purpose.

Regarding crypto ideally we would recommend Ed25519 for certificates, Curve25519 for key exchange (ECDHE), and ChaCha20-Poly1305 for data streams but that suite isn’t supported by OpenVPN. We therefore recommend and by default use RSA-2048, D-H (DHE) and AES-256-CBC-SHA.

That said, cryptographic algorithms, key lengths etc are usually the strongest part of a system and hardly ever the right thing to focus on. It’s like worrying about whether to have a 128 mm or 256 mm thick steel door on a house with wooden walls and glass windows.

We provide a kill switch and DNS leak protection as well as IPv6 leak protection (and IPv6 tunneling).

9. Yes. Windows, Linux and OS X. The client program stores connection logs for the current and last time it ran on the its computer.

10. Yes.

11. We have a range of servers. On one end servers lovingly assembled and configured by us with ambitious physical security in data centers owned and operated by people we trust personally and whose ideology we like. On the other end rented hardware in big data centers. Which to use depends on the threat model and performance requirements.

1. No. We purge this information when the user disconnects from the VPN.

2. BLACKVPN LIMITED is registered company in Hong Kong and operates under the jurisdiction of Hong Kong.

3. We use StreamSend for sending generic welcome and renewal reminder emails, as well as for the occasional news updates. We have Facebook and Twitter widgets on our front page that may track visitors. We host our own website analytics, support system and live chat systems using open source tools.

4. We temporarily block the port on the VPN server listed in the notice.

5. If we received a valid court order from a Hong Kong court then we would be legally obliged to obey it. This has never happened yet.

6. It is only allowed on our Privacy VPN locations, due to stricter enforcement of these notices in the USA and UK.

8. We always recommend OpenVPN and our VPN servers enforce AES-256-CBC encryption and use 4096 bit RSA and Diffie Hellman keys. The open source OpenVPN client can now be configured for DNS leak prevention and not to leak any traffic if VPN the connection drops. We package the Windows OpenVPN client pre-configured this way for our users, and we also package the OS X Tunnelblick app to prevent IP leaks too.

9. Android – currently in beta but almost ready for release. Only the connection log from the last connection is kept.

10. We proxy DNS queries to UncensoredDNS.org / CensurfriDNS.dk

11. We use dedicated servers which are hosted in 3rd party data centers.

1. No, this is fundamental to the service we provide. It is also in our interests not to do so as it minimizes our own liability and is not required by law.

2. Privatus Limited, Gibraltar.

3. No. We made a strategic decision from day one that no company or customer data would ever be stored on 3rd party systems. Our customer support software, email, web analytics (Piwik), issue tracker, monitoring servers, code repo’s, configuration management servers etc. all run on our own dedicated servers that we setup, configure and manage. No 3rd parties have access to our servers or data.

4. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we never store the IP addresses of customers connected to our network nor are we legally required to do so.

5. Firstly, this has never happened. However, if asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and asked for the customer’s identity then we would reply that we do not store any personal data. If the company were served with a valid court order that did not breach the Data Protection Act 2004 we could only confirm that an email address was or was not associated with an active account at the time in question.

6. Yes, we don’t block BitTorrent or any other protocol on any of our servers. We do kindly request that our customers use non-USA based exit servers for P2P. Any company receiving a large number of DMCA notices is exposing themselves to legal action and our upstream providers have threatened to disconnect our servers in the past.

7. We accept Bitcoin, Cash, PayPal and credit cards. When using cash there is no link to a user account within our system. When using Bitcoin, we store the Bitcoin transaction ID in our system. If you wish to remain anonymous to IVPN you should take the necessary precautions when purchasing Bitcoin. When paying with PayPal or a credit card a token is stored that is used to process recurring payments. This information is deleted immediately when an account is terminated.

8. We provide RSA-4096 / AES-256 with OpenVPN, which we believe is more than secure enough for our customers’ needs. If you are the target of a state level adversary or other such well-funded body you should be far more concerned with increasing your general opsec than worrying about 2048 vs 4096 bit keys.

The IVPN client offers an advanced VPN firewall that blocks every type of IP leak possible (DNS, network failures, WebRTC STUN, IPv6 etc.). It also has an ‘always on’ mode that will be activated on boot before any process on the computer starts. This will ensure than no packets are ever able to leak outside of the VPN tunnel.

9. Yes, we offer a custom OpenVPN based client for Windows and OSX which includes our advanced VPN firewall that blocks every type of possible IP leak.

10. Yes, absolutely.

11. We use bare metal dedicated servers leased from 3rd party data centers in each country where we have a presence. We install each server using our own custom images and employ full disk encryption to ensure that if a server is ever seized it’s data is worthless. We also operate an exclusive multi-hop network allowing customers to choose an entry and exit server in different jurisdictions which would make the task of legally gaining access to servers at the same time significantly more difficult.

3. We use Google Analytics with Anonymous IPs turned throughout the site. We use Facebook insights and Open Graph on our front end website to track our blogs impact on social media. We use Stripe as our credit card processor.

4. All datacenters in the USA require some response now. Some are just a simple checkbox, and others want a written reply. We have had to remove servers from several locations because of our zero log policy. We respect and abide by U.S. and EU copyright laws including the requirements of the DMCA and rely on our users to do the same. Because we do not log our users’ activities we are not able to identify users, that may be infringing the legal copyrights of others.

5. This has never happened. Depending on your payment method we limit the amount of personal data on file. So much so that if a user pays with Bitcoin it is just a first name and email address. If a valid court order comes in asking us to identify someone that is in our system, we would be required to provide that persons billing information. Even if it is just a transaction number, first name and email address.

6. Yes, they are.

7. We currently accept Credit cards, BTC, cash and PayPal. Billing and Authentication are separate. Recently we have completely overhauled our billing and authentication infrastructure to make use of SHA512 salted credentials that our billing system updates using encrypted tokens. Everything related to billing and user authentication that is sent “over the wire” is done so with the use of proxies on both sides that encrypt the data using 256 bit AES encryption and pass it to another proxy that turns it back into something our authentication network can process.

8. Well if you are concerned about your privacy then use our IP Modulation. Which changes a user’s public IP address several times during a single page load. It can sometimes break websites, so we recommend it only for that 1% of users.

We use AES-256-CBC, 4096 bit RSA keys and SHA512 auth. Currently, it is the best encryption OpenVPN supports natively. Our software comes with a tool called Liquid Lock which builds custom firewall rules using your Operating systems firewall to prevent DNS leaks, disconnect leaks, WebRTC leaks, IPv6 leaks and any other type of leak preventable with firewall rules.

9. Yes, we do. We have Windows, Mac and Android applications currently available. OSX and Linux are in production. Our client only keeps essential connection logs for the active session, once the session is disconnected the logs erase from memory.

11. We have control over our network. Every server we own runs on either a custom compiled Gentoo kernel or RouterOS. We lease the hardware from tier 3 or higher datacenters all over the world. No one but us has access to these servers.

12. Currently, we have multiple USA and the Netherlands locations. We also have servers in Canada, the United Kingdom, Sweden, Germany, Romania, Singapore and Switzerland.

2. The company name is Anonymous SARL and operates under the jurisdiction of the Kingdom of Morocco.

3. We use Google Analytics and Tawk live support.

4. There is nothing to take down since we don’t host any files in the first place.

5. This has never happened before, but we won’t be able to cater their demand as we can’t identify that user within our system.

6. BitTorrent and other P2P protocols are allowed on all our servers.

7. We use BitPay ( BitCoins ), PayPal, HiPay.

8. We recommend OpenVPN for Desktop and IKEv2 for Mobile devices, As of the encryption we use AES-256-CBC algorithm. DNS leak protection is already enabled however “kill switches” will be available soon.

9. We provide custom VPN application for Mac and Windows-based on OpenVPN, and Mobile apps ( Android and iOS ) based on IKEv2. And again.. we do not keep any connections logs.

10. We use our own DNS servers.

11. We have a mix, physical control over most of our infrastructure and some exotic locations are hosted by 3rd party partners.

3. We use a service from Provide Support (ToS) for live support. They do not hold any information about the chat session. From Provide support: Chat conversation transcripts are not stored on Provide Support chat servers. They remain on the chat server for the duration of the chat session, then optionally sent by email according to the user account settings, and then destroyed. We’re also using Google Analytics and Statcounter for collecting static of how many visitors we have, popular pages and conversion of all ads. This data is used for optimization of the website and advertisement.

4. We do not store any kind of logs of our customers’ activity, which also will be informed.

5. Due to our policy of NOT keeping any logs, there is nothing to provide about users of our service. It has never happened.

6. Yes, we allow Torrent traffic. We buy high-capacity internet traffic so we can meet the demands. On some locations we use Tier1 IP transit providers for best speed and routing to other peers.

7. PayPal, Payson, Bitcoin. Every payment has an order number, which is linked to a user. Otherwise we wouldn’t know who has made a payment. To be clear, you can’t link a payment to an IP address you get from us or a user activity.

8. OpenVPN TUN with AES-256. On top is a 2048-bit DH key. For our Windows VPN client, we have a feature called “Connection guard”, which will close a selected program(s) if the connection drop. We have no tools for DNS leak but, best way, which is always 100%, is to change the local DNS on the device to DNS servers we provide. We’re working with a feature that doing this so the customer don’t need to change it manually for 100% protection.

9. Yes, for Windows. We’re working on a custom VPN application for Mac OS X also. Our VPN application, as all other VPN applications, stores a connection log local on the computer for troubleshooting purpose. This information is only stored locally and can’t be accessed by us or anyone else. The connection logs contains information about which VPN server the user is connecting to and any kind of errors.

10. We use a DNS from Censurfridns.

11. We have physical control over our servers and network in Sweden. All other servers and networks are hosted by ReTN, Kaia Global Networks, Leaseweb, Blix, Creanova, UK2, Fastweb, Server.lu, Selectel and Netrouting. We ONLY work with trusted providers.

1. Nope, no logs. We use OpenVPN with logs set to /dev/null, and we’ve even gone the extra mile by preventing client IPs from appearing in the temporary “status” logs using our patch available at https://cryptostorm.is/noip.diff.

2. We’re a decentralized project, with intentional separation of loosely-integrated project components. We own no intellectual property, patents, trademarks, or other such things that would require a corporate entity in which ownership could be enforced by the implied threat of State-backed violence; all our code is published and licensed opensource.

3. No, we don’t use any external visitor tracking or email providers..

4. Our choice is to reply to any such messages that are not obviously generated by automated (and quite likely illegal) spambots. In our replies, we ask for sufficient forensic data to ascertain whether the allegation has enough merit to warrant any further consideration. We have yet to receive such forensic data in response to such queries, despite many hundreds of such replies over the years.

5. See above. We have never received any valid court orders requesting the identity of a user, but if we ever did receive such a request, it would be impossible for us to comply as we keep no such information.

6. Yes, all traffic is allowed.

7. We accept PayPal and bitcoin via BitPay, although we will manually process any other altcoin if a customer wishes. We don’t have financial information connected in any way to the real-life identity of our network members; our token-based authentication system removes this systemic connection, and thus obviates any temptation to “squeeze” us for private data about network membership. We quite simply know nothing about anyone using our network… save for the fact that they have a non-expired (SHA512 hash of a) token when they connect. Also, we now process BitPay orders instantly in-browser, so we no longer require an email address for bitcoin orders.

8. We only support one cipher suite on-net. Offering “musical chairs” style cipher suite roulette is bad opsec, bad cryptography, and bad administrative practice. There is no need to support deprecated, weak, or known-broken suites in these network security models; unlike browser-based https/tls, there are no legacy client-side software suites that must be supported. As such, any excuse for deploying weak cipher suites is untenable. Everyone on cryptostorm receives equal and full security attention, including those using our free/capped service “Cryptofree”

There are no “kill switch” tools available today that actually work. We have tested them, and until we have developed tools that pass intensive forensic scrutiny at the NIC level, we will not claim to have such. Several in-house projects are in the works, but none are ready yet for public testing.

We take standard steps to encourage client-side computing environments to route DNS queries through our sessions when connected. However, we cannot control things such as router-based DNS queries, Teredo-based queries that slip out via IPv6, or unscrupulous application-layer queries to DNS resolvers that, while sent in-tunnel, nevertheless may be using arbitrary resolver addressing. Our Windows client attempts to prevent some of this, but it’s currently impossible to do so completely. We are saddened to see others who claim they have such “magical” tools; getting a “pass” from a handful of “DNS leak” websites is not the same as protecting all DNS query traffic. Those who fail to understand that are in need of remedial work on network architecture.

As we run our own mesh-based system of DNS resolvers, “deepDNS”, we have full and arbitrary control over all levels of DNS resolution presentation to third parties.

9. We offer an open source application written in Perl (dubbed the “CS widget”), source code available at GitHub. Currently only for Windows, but we are working on porting it to Linux. The application is essentially an OpenVPN GUI with some tweaks here and there to prevent different types of leaks (DNS, IPv6, etc.), and to make connecting as easy as possible. Output from the backend OpenVPN process is shown in the GUI. When you exit the program, that data is forgotten.

10. We have constructed a mesh-topology system of redundant, self-administered secure DNS resolvers which has been collected under the label of “deepDNS”. deepDNS is a full in-house mechanism that prevents any DNS related metadata from being tied to any particular customer. It also allows us to provide other useful features such as transparent .onion, .i2p, .p2p, etc. access. There is also DNSCrypt support on all deepDNS servers to help protect pre-connect DNS queries.

11. We deploy nodes in commodity datacenters that are themselves stripped of all customer data and thus disposable in the face of any potential attacks that may compromise integrity. We have in the past taken down such nodes based on an alert from onboard systems and offsite, independently maintained remote logs that confirmed a violation was taking place. It is important to note that such events do not explicitly require us to have physical control of the machine in question: we push nameserver updates, via our HAF (Hostname Assignment Framework) out via redundant, parallel channels to all connected members and by doing so we can take down any node on the network within less than 10 minutes of initial commit.

12. Our current server list (as of the beginning of 2016) are: Moldova, Switzerland, Canada, Portugal, Germany, Italy, France, England ans USA. Keep in mind that we are constantly adding new servers to this list.

3. We use Zendesk and Zopim but will be weening this off. We generally delete Zendesk tickets older than 6 months. We are exploring moving to open source self hosted options (such as osticket) but feel that the user experience of such options are less than ideal. This is definitely an area that we are actively looking at with the revision of our customer portal that is underway. We have been using Google Analytics to gauge our conversions and where our customers are coming from but have removed this. E-mail is self hosted.

4. Generally we work with the providers to resolve the issue and we have never given up any of our customer information. Generally we terminate our relationship with the provider if this is not acceptable. Our US servers under DMCA jurisdiction or UK (European equivalent) have P2P locked down.

5. This has not happened yet but we do not keep any user logs so there is not much that can be provided especially if the payment is via an anonymous channel. One of our founders is a lawyer so such requests will be examined on its validity and will resist such requests if done without proper cause or legal backing. We also endeavor to keep our customers informed if there are any such requests. If we are prevented from doing so, we also maintain a PGP signed warrant canary which is updated in the first week of every month which will cease to be updated if we are required to log without informing our users. (http://bolehvpn.net/canary.html)

6. Yes, it is allowed except on those marked Surfing-Streaming and BolehGEO which are restricted either due to the provider’s policies or limited bandwidth.

7. We use MolPay, 2Checkout, Paypal, Coinbase (Bitcoin), Coinpayments (Dash and XEM) and direct deposits. On our system it is only marked the Invoice ID, the account it’s for, the method of payment and whether it’s paid or not. We however of course do not have control of what is stored with the payment providers.

8. Our Cloak configurations implement 256 bit AES and a SHA-512 HMAC combined with a scrambling obfuscation layer. We do have a lock down/kill switch feature and DNS leak protection.

9. Yes, for Windows and Mac OS X. There’s a basic user log with a very minimal verbosity level of 1 (where 0 is silent and 9 is most verbose) stored in log.txt in the installation folder. Users are free to delete this if they wish from time to time. They are mainly used for troubleshooting purposes.

10. Yes, we do use our own DNS servers.

11. Our servers are rented from server providers throughout the world with whom we have built a longstanding relationship. However we do retain full root access. We are not a white label reseller and control our own infrastructure. It is to be noted that our VPN service authenticates entirely using public key infrastructure (PKI) without the requirement to use a central authentication server. This means that there is no communication needed from our customer portal server to establish a valid VPN connection to our VPN servers meaning there is no central authentication point.

12. We have servers in Canada, France, Germany, Italy, Japan, Luxembourg, the Netherlands, Singapore, Switzerland, United Kingdom and United States.

4. Since DMCA is not applicable in Sweden, these are ignored. If they keeping sending e-mails we politely tell them that we cannot hand out any information or stop the activity since we have no possibility to trace the user, and no logs are kept.

5. We inform the other party that we are unable to hand out any information since we do not keep any logs or monitor the traffic.

6. Yes

7. PayPal, Credit card, Bitcoins, Swish.

8. AES-256-CBC with SHA512 HMAC and TLS authentication. We do not provide any kill switches but since our DNS servers are open for anyone to use we recommend all users to use them as default DNS servers to prevent leaks and blocking from their own ISP’s DNS.